back to article ATM security devs rush out patch after boffins deliver knockout blow

A firm that supplies security software for cash machines has updated its technology after researchers uncovered a number of serious shortcomings. Flaws in GMV's Checker ATM Security technology created a means for hackers to remotely run malicious code on a targeted ATM. The CVE-2017-6968 vulnerability opened the door to all …

  1. Anonymous Coward
    Anonymous Coward

    So

    Somebody finally found a hole in OS/2 that's running all the ATMs? What, it isn't OS/2 anymore? Pity...

    1. Rich 11 Silver badge

      Re: So

      It's Windows 2000. *cough*

      1. Anonymous Coward
        Anonymous Coward

        Re: So

        Not Win 2000. XP or Win7.

        1. wolfetone
          Trollface

          Re: So

          Sure as hell isn't Windows 10.

          Nobody is that daft.

    2. Lewis R

      Re: So

      Yeah, as the Managing Member of Arca Noae, the company which just released ArcaOS 5.0, our own OS/2-based distro, stories like this make me cringe.

      The last time I saw an OS/2 system compromised by such code was...well...never.

      ArcaOS also allows these ATM manufacturers to run their older OS/2 software on modern hardware. ArcaOS on a dual or quad core system with even 2GB RAM (well over our minimum requirements) is a thing of beauty. Put that on an SSD, and there even fewer moving parts to maintain. Such an ATM would be a tremendous asset, and not on the Microsoft patch-o'-the-week treadmill...

  2. Floz

    Watch dogs?

    This is why I try to avoid 'unknown' ATMs

  3. John Smith 19 Gold badge
    Unhappy

    "connecting the ATM to a criminal-controlled network connection"

    Would that include most banks in Eastern Europe and America?

    1. ma1010 Silver badge
      Trollface

      Re: "connecting the ATM to a criminal-controlled network connection"

      Would that include most banks in Eastern Europe and America?

      There, FTFY.

      The answer is "Yes," of course. Trick question?

  4. Mike Shepherd
    Meh

    It's difficult to take ATMs seriously on security...

    It's difficult to take ATMs seriously on security when they show adverts. Given the struggle to make any software secure, adding unnecessary parts to financial applications seems, at best, ill-advised.

    1. Robert Helpmann?? Silver badge
      Childcatcher

      Re: It's difficult to take ATMs seriously on security...

      It's difficult to take ATMs seriously on security when they show adverts.

      Just highlights that the primary purpose of a bank is to make money, not to provide service. Any security is there to provide protection to their assets. That their customers' assets might also be protected is happy coincidence.

      1. Archtech Silver badge

        Re: It's difficult to take ATMs seriously on security...

        Er, not forgetting that as soon as you deposit money with a bank it becomes legally the bank's property. All you get is an IOU.

        1. Pirate Dave Silver badge
          Pirate

          Re: It's difficult to take ATMs seriously on security...

          "All you get is an IOU."

          When you get down to it, isn't most paper money basically just an IOU anyway? There's no real intrinsic value to the scrap of paper other than the amount printed on it.

          1. Steve the Cynic

            Re: It's difficult to take ATMs seriously on security...

            "most paper money basically just an IOU"

            An interesting question, and strongly dependent on what exactly you mean by "an IOU".

            The "I promise to pay the bearer on demand" thing on a British banknote is a historical remnant of the time when the word "pound" meant "a pound of" and the thing it was a pound of was Sterling silver (pound Sterling, Sterling silver...). There's a museum in the middle of Oxford (well, there was when I lived there) that had old (17th Century?) pound coins in a display case. A f---ing pound of silver, that is. Made for a fairly hefty coin.

            But today, if you go to the Bank of England to get your sum of five pounds, they'll take your fiver and give you a different one, because the currency is no longer tied to a real asset. No modern currency is tied to a real asset - they are *all* "fiat" currencies, even the mighty (?) US dollar, which ceased to be an asset-backed currency (gold) in 1971.

            So yes, or no, it's still (or not) an IOU, but it's not at all clear what it is that I owe you if you have one and it's me that owes (or doesn't) you something.

  5. Sureo

    Funny...

    Funny how when the problem is, for example, Android, security updates seldom or never get distributed and applied, but when money is flying out the window.....

  6. Anonymous Coward
    IT Angle

    Security product designed to protect ATMs is not secure

    I don't suppose you would favor us with the Windows OS version that this product runs on? Security cannot be tacked on as an after thought but must be baked into the product. Regardless of how PCI-DSS compliant it is certified as. In the old days updating the software on an ATM required the visit of two technicians with a hardware dongle that they plugged into the ATM. The technicians typed in two unique serial numbers that were used to generate a unique encryption key and used to update the device. Once this was done any future attempt to overwrite the firmware would fail. All such security mitigation devices are rendered useless since the banks moved their ATMs to a toy of an Operating System.

    1. kain preacher Silver badge

      Re: Security product designed to protect ATMs is not secure

      checker

      is available for the following operating systems: Windows (NT, XP, Vista and 7) and Linux (kernel 2.6 and 3.0). if you are running an ATM on windows NT 4.0 I'm not sure what to say.

      I've never seen an ATM that ran on linux. It's either been windows or OS/2

    2. Tom Paine Silver badge

      Re: Security product designed to protect ATMs is not secure

      Firmware? Nothing to do with the OS, then?

  7. EnviableOne Bronze badge

    most of them are still running XP embeded 2009 (which is still supported till 2019)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019